Manalyze report for 5c5a893e04df40f909a2ccabc0b05288

Summary

Architecture	`IMAGE_FILE_MACHINE_I386`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
Compilation Date	2014-Oct-21 15:22:55
Detected languages	English - United States
Comments	Command-line program to download videos from YouTube.com and other video sites
FileDescription	YouTube video downloader
FileVersion	`2021.06.06`
OriginalFilename	youtube-dl.exe
ProductName	youtube-dl
ProductVersion	`2021.06.06`

Plugin Output

Info	Matching compiler(s):	`Microsoft Visual C++ 6.0 - 8.0`
Suspicious	Strings found in the binary may indicate undesirable behavior:	`Looks for Qemu presence: qEMu` `Contains another PE executable: This program cannot be run in DOS mode.` `Contains domain names: BeOpen.com YouTube.com http://python.org python.org`
Info	Cryptographic algorithms detected in the binary:	`Uses constants related to CRC32` `Uses constants related to MD5` `Uses constants related to SHA1` `Uses constants related to SHA256` `Uses known Mersenne Twister constants`
Suspicious	The PE contains functions most legitimate programs don't use.	`[!] The program may be hiding some of its imports: GetProcAddress LoadLibraryExW LoadLibraryA` `Memory manipulation functions often used by packers: VirtualProtect VirtualAlloc`
Malicious	The PE is possibly a dropper.	`Resource 1 detected as a PE Executable.`
Malicious	The file contains overlay data.	`5404213 bytes of data starting at offset 0x2a4200.` `The file contains a Zip Compressed Archive after the PE data.`
Safe	VirusTotal score: 0/64 (Scanned on 2022-06-30 19:43:50)	`All the AVs think this file is safe.`

Hashes

MD5	`5c5a893e04df40f909a2ccabc0b05288`
SHA1	`b728a32e64b537a76e5b31282c64095fb98022e0`
SHA256	`78c009f4cf8ae56db150800d55faaac97c127c76c89715b23fe406d85c3c0628`
SHA3	`4934047f132e2b8792a865eacfa40c4c54547fda4baab80caf4536ae7a24e270`
SSDeep	`196608:v/8LCDTWjUJTVkQ0id7ZFceCtbQY7YT4Z7GP:v/9DL9q5iXqxYcAP`
Imports Hash	`985a7b86c383570b8555b38c1f270b55`

DOS Header

e_magic	`MZ`
e_cblp	`0x90`
e_cp	`0x3`
e_crlc	`0`
e_cparhdr	`0x4`
e_minalloc	`0`
e_maxalloc	`0xffff`
e_ss	`0`
e_sp	`0xb8`
e_csum	`0`
e_ip	`0`
e_cs	`0`
e_ovno	`0`
e_oemid	`0`
e_oeminfo	`0`
e_lfanew	`0xe8`

PE Header

Signature	`PE`
Machine	`IMAGE_FILE_MACHINE_I386`
NumberofSections	`5`
TimeDateStamp	2014-Oct-21 15:22:55
PointerToSymbolTable	`0`
NumberOfSymbols	`0`
SizeOfOptionalHeader	`0xe0`
Characteristics	`IMAGE_FILE_32BIT_MACHINE` `IMAGE_FILE_EXECUTABLE_IMAGE`

Image Optional Header

Magic	`PE32`
LinkerVersion	`10.0`
SizeOfCode	`0x2c00`
SizeOfInitializedData	`0x2a1200`
SizeOfUninitializedData	`0`
AddressOfEntryPoint	`0x0000367A (Section: .text)`
BaseOfCode	`0x1000`
BaseOfData	`0x4000`
ImageBase	`0x400000`
SectionAlignment	`0x1000`
FileAlignment	`0x200`
OperatingSystemVersion	`5.1`
ImageVersion	`0.0`
SubsystemVersion	`5.1`
Win32VersionValue	`0`
SizeOfImage	`0x2a7000`
SizeOfHeaders	`0x400`
Checksum	`0`
Subsystem	`IMAGE_SUBSYSTEM_WINDOWS_CUI`
DllCharacteristics	`IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE` `IMAGE_DLLCHARACTERISTICS_NX_COMPAT` `IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE`
SizeofStackReserve	`0x100000`
SizeofStackCommit	`0x1000`
SizeofHeapReserve	`0x100000`
SizeofHeapCommit	`0x1000`
LoaderFlags	`0`
NumberOfRvaAndSizes	`16`

.text

MD5	`8b85a4f492779c45154ff07b69fe7e61`
SHA1	`5771eb47ad71e460c9100cc01defe1ac998e50d5`
SHA256	`686ca5aa186e2d5e19da6c997d1a819844984e340239c207cde4258058e5cee9`
SHA3	`8ed229c0473f8c37745df6a89978d8830083ef83670def94d0616c26fd1a43b8`
VirtualSize	`0x2bda`
VirtualAddress	`0x1000`
SizeOfRawData	`0x2c00`
PointerToRawData	`0x400`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_CODE` `IMAGE_SCN_MEM_EXECUTE` `IMAGE_SCN_MEM_READ`
Entropy	`6.03108`

.rdata

MD5	`f3f5362630405e292f61c017596f2ea2`
SHA1	`eb84d5a641532c1c9e41ec8fd87714b0a4619830`
SHA256	`ab0edd40e6fabf78953017ae0830edcf2b32d18ae9b499abdbe6941323b14f9b`
SHA3	`2afe9160af9a559fe49a9c0c387e10427efc06a15adde3d8d030caa8cda5724e`
VirtualSize	`0xf2a`
VirtualAddress	`0x4000`
SizeOfRawData	`0x1000`
PointerToRawData	`0x3000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`5.06508`

.data

MD5	`4c1ffc06e71a4f11c7eefdcce51e96d8`
SHA1	`ad5d968012a00e01254c9222214e5962cf18a0ef`
SHA256	`f5bcba8f88f24c4a778a63d9d913c15bf2235bde38044b926f42fdaa5f36436c`
SHA3	`24861555fedd30de496bbeed2d636d1088e4b4566c4504bf5f8067370363a679`
VirtualSize	`0x1dac`
VirtualAddress	`0x5000`
SizeOfRawData	`0xc00`
PointerToRawData	`0x4000`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ` `IMAGE_SCN_MEM_WRITE`
Entropy	`4.87751`

.rsrc

MD5	`6ff155379ab7655d2d8523d9e0497c78`
SHA1	`b9fa84eeb632a1481ad23fa923bdfd7b6b61e879`
SHA256	`3b39005ad15083bf13810cb0df917bf281cd98f90720f48cf5fb591ef6b404f8`
SHA3	`849476456a2a1cf1064fe4628278ed13c5928d941625f72b3f42325872cc89ed`
VirtualSize	`0x29ee1c`
VirtualAddress	`0x7000`
SizeOfRawData	`0x29f000`
PointerToRawData	`0x4c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_READ`
Entropy	`6.65376`

.reloc

MD5	`b10e837b26899f068b0fcadcce4df280`
SHA1	`9bf053f37d6c73a392dfa4d4060f9ced29668ad1`
SHA256	`39e46a829f1d826cd6e9da897d0ddab3b7dfcd28f83c134e45b807e498f86258`
SHA3	`58489df579037f745539b6904844947c4b2708e08c3e9cf5dec71e588743ce9f`
VirtualSize	`0x56a`
VirtualAddress	`0x2a6000`
SizeOfRawData	`0x600`
PointerToRawData	`0x2a3c00`
PointerToRelocations	`0`
PointerToLineNumbers	`0`
NumberOfLineNumbers	`0`
NumberOfRelocations	`0`
Characteristics	`IMAGE_SCN_CNT_INITIALIZED_DATA` `IMAGE_SCN_MEM_DISCARDABLE` `IMAGE_SCN_MEM_READ`
Entropy	`5.82481`

Imports

USER32.dll	`MessageBoxA`
SHELL32.dll	`SHGetSpecialFolderPathW`
MSVCR100.dll	`_lock` `_except_handler4_common` `_invoke_watson` `_controlfp_s` `_crt_debugger_hook` `__dllonexit` `_unlock` `?terminate@@YAXXZ` `__set_app_type` `_fmode` `_commode` `__setusermatherr` `_configthreadlocale` `_initterm_e` `_initterm` `__winitenv` `exit` `_XcptFilter` `_exit` `_cexit` `__wgetmainargs` `_amsg_exit` `malloc` `_strdup` `strtol` `wcstombs` `strncmp` `free` `_stricmp` `realloc` `memset` `memcpy` `_fileno` `_setmode` `setvbuf` `atoi` `getenv` `_snwprintf` `wcsncmp` `wcsrchr` `fprintf` `__iob_func` `strncpy` `_onexit`
KERNEL32.dll	`IsDebuggerPresent` `UnhandledExceptionFilter` `GetCurrentProcess` `GetSystemTimeAsFileTime` `GetCurrentProcessId` `GetCurrentThreadId` `GetTickCount` `QueryPerformanceCounter` `DecodePointer` `SetUnhandledExceptionFilter` `EncodePointer` `HeapSetInformation` `InterlockedCompareExchange` `Sleep` `InterlockedExchange` `OutputDebugStringA` `GetModuleHandleW` `SetDllDirectoryW` `SetDllDirectoryA` `GetModuleHandleA` `HeapAlloc` `GetThreadLocale` `lstrlenA` `GetProcessHeap` `HeapFree` `GetProcAddress` `IsBadReadPtr` `SetLastError` `VirtualFree` `VirtualProtect` `VirtualAlloc` `LoadLibraryExW` `SizeofResource` `FreeLibrary` `LoadLibraryA` `FindResourceA` `LoadResource` `LockResource` `GetModuleFileNameW` `GetLastError` `FormatMessageA` `LocalFree` `TerminateProcess`

Delayed Imports

PyArg_ParseTuple

Ordinal	`1`
Address	`0x3030`

PyBool_FromLong

Ordinal	`2`
Address	`0x32f0`

PyBytes_AsString

Ordinal	`3`
Address	`0x31a0`

PyCFunction_NewEx

Ordinal	`4`
Address	`0x3350`

PyErr_Clear

Ordinal	`5`
Address	`0x2d90`

PyErr_Occurred

Ordinal	`6`
Address	`0x2dc0`

PyErr_Print

Ordinal	`7`
Address	`0x2df0`

PyErr_SetImportError

Ordinal	`8`
Address	`0x2b80`

PyErr_SetObject

Ordinal	`9`
Address	`0x32c0`

PyErr_SetString

Ordinal	`10`
Address	`0x2bb0`

PyEval_EvalCode

Ordinal	`11`
Address	`0x2f70`

PyExc_ImportError

Ordinal	`12`
Address	`0x5f14`

PyExc_RuntimeError

Ordinal	`13`
Address	`0x5f18`

PyExc_SystemError

Ordinal	`14`
Address	`0x5f1c`

PyGILState_Ensure

Ordinal	`15`
Address	`0x2ca0`

PyGILState_Release

Ordinal	`16`
Address	`0x2c70`

PyImport_AddModule

Ordinal	`17`
Address	`0x2e80`

PyImport_AppendInittab

Ordinal	`18`
Address	`0x2fa0`

PyImport_ImportModule

Ordinal	`19`
Address	`0x3200`

PyLong_FromLong

Ordinal	`20`
Address	`0x3000`

PyLong_FromVoidPtr

Ordinal	`21`
Address	`0x2b50`

PyModule_Create2

Ordinal	`22`
Address	`0x2fd0`

PyModule_GetDef

Ordinal	`23`
Address	`0x31d0`

PyModule_GetDict

Ordinal	`24`
Address	`0x2eb0`

PyObject_CallObject

Ordinal	`25`
Address	`0x30e0`

PyObject_SetAttrString

Ordinal	`26`
Address	`0x3320`

PyRun_InteractiveLoopFlags

Ordinal	`27`
Address	`0x2c10`

PyRun_SimpleStringFlags

Ordinal	`28`
Address	`0x2c40`

PySequence_GetItem

Ordinal	`29`
Address	`0x2f10`

PySequence_Size

Ordinal	`30`
Address	`0x2f40`

PySys_SetArgvEx

Ordinal	`31`
Address	`0x2e50`

PySys_SetObject

Ordinal	`32`
Address	`0x3290`

PyTuple_New

Ordinal	`33`
Address	`0x3110`

PyTuple_SetItem

Ordinal	`34`
Address	`0x3140`

PyUnicode_FromFormat

Ordinal	`35`
Address	`0x3070`

PyUnicode_FromString

Ordinal	`36`
Address	`0x3170`

PyUnicode_FromWideChar

Ordinal	`37`
Address	`0x30b0`

Py_FdIsInteractive

Ordinal	`38`
Address	`0x2be0`

Py_Finalize

Ordinal	`39`
Address	`0x2d30`

Py_GetPath

Ordinal	`40`
Address	`0x2cd0`

Py_Initialize

Ordinal	`41`
Address	`0x2d60`

Py_IsInitialized

Ordinal	`42`
Address	`0x2b20`

Py_SetPath

Ordinal	`43`
Address	`0x2d00`

Py_SetProgramName

Ordinal	`44`
Address	`0x2e20`

_PyImport_FindExtensionObject

Ordinal	`45`
Address	`0x3230`

_PyImport_FixupExtensionObject

Ordinal	`46`
Address	`0x3260`

1

Type	`PYTHON34.DLL`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x29e000`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`6.65459`
Detected Filetype	PE Executable
MD5	`068a2d61282b8c110cd652bfdf99c95f`
SHA1	`62b6f9a66f168e3a001f5b80ef686339bfbdb102`
SHA256	`fdcb5f85b9fa3bedcc9b2a999e8bd733412b60d9e5f9faa9d1a5858ae753f3c4`
SHA3	`6d42c3d8fe0676488b23c889a23cb465f6b6b3e091ac7ddac5c86cdd9b9dda8f`

1 (#2)

Type	`PYTHONSCRIPT`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0xa19`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`4.60394`
MD5	`69a1f1b81eaa5169302afb8c44de6562`
SHA1	`34c233acf8ab6a953a1e5210cf21ede5b49ffec6`
SHA256	`f5a4327e14ed40763d5ff6f1e6bcfe5bbab16781d7f87b64f4fd5fae620e722e`
SHA3	`67bb6731c7b9afd5a7a7db04c41514bea7207abc87f873d97a6c378c452e1914`

1 (#3)

Type	`RT_VERSION`
Language	UNKNOWN
Codepage	Latin 1 / Western European
Size	`0x2e4`
TimeDateStamp	1980-Jan-01 00:00:00
Entropy	`3.39077`
MD5	`8baa1f02afc3b07446400090671bfaeb`
SHA1	`f72d0c235d5ecfae77ba93e8ee18206a63ee16b5`
SHA256	`b7e338986bba7af5310f4b5b180374d919a36ce38ad03304b1f2a0abc6bf7561`
SHA3	`c21d7b584307bc75ca31e5a343662bf2ab8782db4ac4b9633fd365d2b1d4a575`

Version Info

Signature	`0xfeef04bd`
StructVersion	`0x10000`
FileVersion	2021.6.6.0
ProductVersion	1.0.0.1
FileFlags	`(EMPTY)`
FileOs	`VOS_DOS_WINDOWS32` `VOS_NT` `VOS_NT_WINDOWS32` `VOS_WINCE` `VOS__WINDOWS32`
FileType	`VFT_APP`
Language	English - United States
Comments	Command-line program to download videos from YouTube.com and other video sites
FileDescription	YouTube video downloader
FileVersion (#2)	2021.06.06
OriginalFilename	youtube-dl.exe
ProductName	youtube-dl
ProductVersion (#2)	2021.06.06

Resource LangID	UNKNOWN

TLS Callbacks

Load Configuration

Size	`0x48`
TimeDateStamp	`1970-Jan-01 00:00:00`
Version	`0.0`
GlobalFlagsClear	`(EMPTY)`
GlobalFlagsSet	`(EMPTY)`
CriticalSectionDefaultTimeout	`0`
DeCommitFreeBlockThreshold	`0`
DeCommitTotalFreeThreshold	`0`
LockPrefixTable	`0`
MaximumAllocationSize	`0`
VirtualMemoryThreshold	`0`
ProcessAffinityMask	`0`
ProcessHeapFlags	`(EMPTY)`
CSDVersion	`0`
Reserved1	`0`
EditList	`0`
SecurityCookie	`0x405ad8`
SEHandlerTable	`0x4041e0`
SEHandlerCount	`1`

RICH Header

XOR Key	`0x4813b6c5`
Unmarked objects	`0`
Imports (VS2010 SP1 build 40219)	`2`
ASM objects (VS2010 SP1 build 40219)	`1`
C++ objects (VS2010 SP1 build 40219)	`2`
Imports (VS2008 SP1 build 30729)	`7`
Total imports	`89`
C objects (VS2010 SP1 build 40219)	`26`
Exports (VS2010 SP1 build 40219)	`1`
Resource objects (VS2010 SP1 build 40219)	`1`
Linker (VS2010 SP1 build 40219)	`1`

Errors

[*] Warning: Raw bytes from section .rsrc could not be obtained.